Fedora has issued an advisory on October 14: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J4N55YQZ6VZHWKIMAZPPZW5HKF5NG66U/ We should update Cauldron to 0.24.3 at least. I don't know what the issues are or if Mageia 5 is affected.
libgit2 was updated to 0.24.6 in cauldron.
Thanks. I guess we're good.
openSUSE has issued an advisory for this today (February 17): https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html There were additional security issues fixed in 0.24.6, which we've already updated to in Cauldron. The SUSE bugs link to upstream commits to fix the issues: https://bugzilla.suse.com/show_bug.cgi?id=1019036 https://bugzilla.suse.com/show_bug.cgi?id=1019037 We could check if those apply to the version in Mageia 5.
Version: Cauldron => 5Summary: libgit2 possible security issue(s) fixed upstream in 0.24.3 => libgit2 possible security issue(s) fixed upstream in 0.24.3 and 0.24.6 (CVE-2017-533[89], CVE-2016-1012[89], and CVE-2016-10130)
patch for CVE-2016-10128 added on SVN for mga5
CC: (none) => mageia
patch for CVE-2016-10129 added on SVN for mga5
mga5 does not seems affected by CVE-2016-10130
mga5 is not affected by CVE-2017-5338 and CVE-2017-5339 neither
pushed in updates_testing for mageia 5, fixing CVE-2016-10128 and CVE-2016-10129 src.rpm: libgit2-0.21.1-3.1.mga5
Assignee: thierry.vignaud => qa-bugs
Advisory: ======================== Updated libgit2 packages fix security vulnerabilities: Insufficient sanitization allows some edge cases in the Git Smart Protocol which can lead to reading outside of a buffer (CVE-2016-10128, CVE-2016-10129). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10128 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10129 https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html ======================== Updated packages in core/updates_testing: ======================== libgit2_21-0.21.1-3.1.mga5 libgit2-devel-0.21.1-3.1.mga5 from libgit2-0.21.1-3.1.mga5.src.rpm
Blocks: (none) => 19553
Advisory: ======================== Updated libgit2 packages fix security vulnerabilities: Read out-of-bounds in git_oid_nfmt (CVE-2016-8568). DoS using a null pointer dereference in git_commit_message (CVE-2016-8569). Insufficient sanitization allows some edge cases in the Git Smart Protocol which can lead to reading outside of a buffer (CVE-2016-10128, CVE-2016-10129). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8568 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8569 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10128 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10129 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4E77DG5KGQ7L34U75QY7O6NIPKZNQHQJ/ https://lists.opensuse.org/opensuse-updates/2017-02/msg00072.html ======================== Updated packages in core/updates_testing: ======================== libgit2_21-0.21.1-3.2.mga5 libgit2-devel-0.21.1-3.2.mga5 from libgit2-0.21.1-3.2.mga5.src.rpm
Looking at M5/64 No previous updates for libgit2 (here package lib64git2_21). $ urpmq -il lib64git2_21 ... Summary : A C implementation of the Git core methods as a library Description : libgit2 is a portable, pure C implementation of the Git core methods provided as a re-entrant linkable library with a solid API, allowing you to write native speed custom Git applications in any language with bindings. /usr/lib64/libgit2.so.0.21.0 /usr/lib64/libgit2.so.21 Super! $ urpmq --whatrequires lib64git2_21 ... subsurface $ urpmq -il subsurface ... Summary : Simple Dive Log Program Description : subsurface is a simple dive log program written in C /usr/bin/subsurface Hmmm. Plus a lot of documentation in: /usr/share/subsurface/Documentation /usr/share/doc/subsurface/Documentation Have just installed all this, and the best info seems to be to start the program and use its built-in User Manual from F1/Help menu. I could not find 'subsurface' in any of the XFCE application category menus, but it was in "All". $ subsurface is quicker. Both present a good GUI. To explore, especially the possibility of importing dive data to try it - and libgit2 in the process?
CC: (none) => lewyssmith
MGA5-32 on Asus A6000VM Xfce No installation issues, installed subsurface to test. Used $ strace -o libgit.txt subsurface can't find Qt localization for locale "nl-BE" searching in "/usr/share/qt4/translations" can't find Subsurface localization for locale "nl-BE" Added a new log, added gasses type, and dive depth, clicked on location map and saved the log. Checked and found call to libgit in the trace. So OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
Testing M5/64 Subsurface is one of the best applications I have come across (notwithstanding NO interest in diving). The whole thing is not just well presented, but has the best documentation I ever saw. Oh that more were this good. Interesting that one of the manual authors is no less than Linus Torvalds! BEFORE update: lib64git2_21-0.21.1-3.mga5 Like Herman, with subsurface I created a new log, and filled in as much as I could. Had trouble getting the location double-click to work, but it did in the end. Surprised at not being able to (or finding how to) edit the dive profile after saving it. Saved the log before exiting. $ strace subsurface 2>&1 | grep libgit open("/lib64/libgit2.so.21", O_RDONLY|O_CLOEXEC) = 3 This line appears immediately on starting Subsurface. AFTER update: lib64git2_21-0.21.1-3.2.mga5 With subsurface, opened the previous dive log and played with it a bit. Was able to alter everything, including the dive profile. Update looks good. Validating it; advisory already uploaded.
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0319.html
Status: NEW => RESOLVEDResolution: (none) => FIXED